b'                    Evaluation of RRB E-Government Initiative: \n\n                 RUIA Contribution Internet Reporting and Payment \n\n                       Report No. 03-03, December 27, 2002 \n\n\n\n                                    INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) review of the\nRailroad Retirement Board\xe2\x80\x99s (RRB) E-government initiative for the railroad employer\nquarterly report and payment of contributions under the Railroad Unemployment and\nInsurance Act (RUIA).\n\nBACKGROUND\n\nThe RRB\xe2\x80\x99s mission is to administer retirement/survivor and unemployment/sickness\ninsurance benefit programs for railroad workers and their families. During fiscal year\n(FY) 2001, the RRB paid approximately $8.4 billion in railroad retirement and survivor\nbenefits to about 700,000 beneficiaries. The RRB also paid unemployment and\nsickness insurance benefits of $95 million to some 40,000 claimants. As part of its\nresponsibilities under the RUIA, the RRB collects employer contributions which are\nused to fund the RUIA benefit payments. Employers make contributions and report\nthem to the RRB on a quarterly basis.\n\nIn the past, employers have reported contributions by submitting a paper copy of Form\nDC-1 to the RRB and have paid their RUIA contributions either by paper check or an\nelectronic means. The electronic payment option was implemented in 1993 when the\nU.S. Department of the Treasury (Treasury) entered into a Memorandum of\nUnderstanding (MOU) with a financial intermediary, U.S. Bank (formerly Firstar Bank),\nto establish and operate an electronic system for collecting railroad retirement taxes and\ncontributions. This system is termed the \xe2\x80\x9cRRBLink\xe2\x80\x9d system, and employers can use\none of three different options to make electronic payments in the system. These\noptions include personal computer/modem technology, telephone, and telephone voice\ntechnology. For the last quarter of calendar year 2001, approximately 73% of railroads\nused the RRBLink system to pay RUIA contributions.\n\nUnder the Government Paperwork Elimination Act (GPEA), Title XVII of Public Law 105-\n277, Federal agencies must provide for the optional use and acceptance of electronic\ndocuments and signatures, and electronic record keeping by October 21, 2003. In\naddition, the Administration\xe2\x80\x99s Management Agenda includes a goal for Federal agencies\nto expand the use of the Internet to provide government services. E-government is the\nterm used to describe Federal agency initiatives to use information technologies to\nimprove relationships with citizens, businesses and other sectors of government. For\nthe RRB, E-government initiatives can serve a variety of needs, including better delivery\nof services to beneficiaries, improved interaction with railroad employers, customer\nempowerment through access to information, and more efficient agency management.\n\x0cRRB officials responsible for employer reporting have determined that employers want\nto be able to exchange information with the RRB electronically. Therefore, RRB\nmanagement has developed an Employer Reporting Initiative to automate current\npaper-based reporting, improve the efficiency and effectiveness of exchanges between\nthe agency and employers, and streamline agency processes.\n\nAs one phase of the Employer Reporting Initiative, the RRB implemented the DC-1\nInternet reporting and payment project in March 2002. The contractor, U.S. Bank, in\nconjunction with the RRB\xe2\x80\x99s Bureau of Fiscal Operations (BFO), modified the RRBLink\nsystem to add a new option for electronic payment over the Internet and allow for\nInternet filing of the DC-1 reports for those railroads that adopted the Internet payment\noption. The RRB and U.S. Bank signed a MOU in July 2002 regarding retention of the\nDC-1 data and RRB requests for information.\n\nThe RRB\xe2\x80\x99s 2000-2005 strategic plan has a goal to provide excellent customer service\nand includes an objective to ensure an efficient and effective reporting system for\nrailroad employers. The plan also has a goal for using and leveraging technology to\nimprove the agency\xe2\x80\x99s operational efficiency and effectiveness. This review speaks\ndirectly to these goals and objectives.\n\n\nOBJECTIVE, SCOPE AND METHODOLOGY\n\nThe objective of this review was to assess the implementation of the DC-1 project. The\nscope included the development of the system beginning August 2001, the DC-1 forms\nfiled for the quarter ending March 31, 2002, and other operations and activities relating\nto the DC-1 project through October 2002.\n\nTo accomplish the audit objective, we performed the audit steps detailed below:\n\n\xe2\x80\xa2   reviewed pertinent laws and regulations;\n\n\xe2\x80\xa2\t reviewed RRB policies, procedures and other documents, including the Information\n   Technology Steering Committee minutes, the Information Technology Capital Plan,\n   and project plans for the DC-1 project and Employer Reporting Initiative;\n\n\xe2\x80\xa2\t reviewed systems documentation relating to RRB and U.S. Bank development\n   testing;\n\n\xe2\x80\xa2\t reviewed Internet screens from RRBLink and tested applicable controls and\n   requirements;\n\n\xe2\x80\xa2\t documented and assessed security procedures over the Internet DC-1 filing\n   process, including data security and access to RRB systems;\n\n\xe2\x80\xa2   evaluated the agreements with the RRB, Treasury and U.S. Bank/Firstar Bank;\n\n\n                                            1\n\n\x0c\xe2\x80\xa2\t reviewed a judgmental sample of 20 Internet DC-1\xe2\x80\x99s submitted for data transmission\n   and system-calculation errors;\n\n\xe2\x80\xa2\t obtained comments from the 20 railroads in our judgmental sample on the usability\n   of the DC-1 Internet filing process;\n\n\xe2\x80\xa2\t obtained and reviewed additional input information needed by OIG\xe2\x80\x99s Office of\n   Investigations from U.S. Bank for a judgmental sample of three railroads;\n\n\xe2\x80\xa2   interviewed RRB management and staff; and\n\n\xe2\x80\xa2   interviewed U.S. Bank management and staff.\n\nThe OIG conducted the audit in accordance with generally accepted government\nauditing standards. Auditors performed the fieldwork at the RRB headquarters office in\nChicago, Illinois from October 2001 through October 2002.\n\n\n                                RESULTS OF REVIEW \n\n\nOur review of the recently implemented DC-1 project identified significant weaknesses\nin overall security of the Internet system, problems with the 2002 MOU, and concerns\nabout the level of railroad participation in the Internet system. Our specific findings\ninclude:\n\n    1. \t The certification of the Internet DC-1 reports and payments cannot be adequately\n         validated.\n\n    2. Security over usage of passwords should be significantly strengthened.\n\n    3. Additional password system controls should be fully implemented.\n\n    4. The 2002 MOU between the RRB and U.S. Bank lacks key details.\n\n    5. \t The monitoring provisions in the 2002 MOU for privacy and security of DC-1 data\n         are inadequate.\n\n    6. \t The RRB needs to encourage increased participation in the Internet system to\n         ensure it is not underused.\n\nDetailed findings and recommendations are discussed below.\n\nCertification of Internet DC-1 Cannot Be Adequately Validated\n\nThe RRB cannot adequately validate the certification of any Form DC-1, Employer\xe2\x80\x99s\nQuarterly Report of Contributions under the RUIA, filed using the Internet. Employers\n\n\n                                            2\n\n\x0cfiled over 200 DC-1 forms using the Internet system for the first and second quarters of\ncalendar year 2002.\n\nTwo requirements for successful information assurance are authentication (users are\nwho they claim to be) and non-repudiation (the user cannot deny his/her identity and\nresponsibility for the action). The GPEA defines \xe2\x80\x9celectronic signature\xe2\x80\x9d as a method of\nsigning an electronic message that (1) identifies and authenticates a particular person\nas the source of the electronic message and (2) indicates such person\xe2\x80\x99s approval of the\ninformation contained in the electronic message. The Office of Management and\nBudget\xe2\x80\x99s (OMB) guidance to implementation of the GPEA states that agencies should\ndevelop well-documented mechanisms and procedures to link transactions to\nindividuals in a legally binding way.\n\nThe OMB\xe2\x80\x99s guidance recommends that, where necessary, agencies use a mutually\nunderstood, signed agreement between the person submitting the electronically signed\ninformation and the receiving Federal agency. These agreements ensure that all\nconditions of submission and receipt of data electronically are known and understood by\nthe submitting parties. This procedure is particularly desirable when terms and\nconditions are not specified in agency regulations. OMB\xe2\x80\x99s guidance also states that it is\nimportant to establish that the user of the electronic signature is fully aware of\nobligations to which he or she is agreeing at the time of signature.\n\nAuthorized employer personnel certify the accuracy and validity of the electronic form\nDC-1 through the use of their user identification (ID), password and personal\nidentification number (PIN). These items are assigned by U.S. Bank upon completion of\na valid enrollment form. This electronic signature replaces the business filer\xe2\x80\x99s written\nsignature. In order to fully validate the Internet DC-1, the RRB must be able to link the\nuser ID, password and PIN to a specific individual and verify that the individual fully\nunderstood the certification process and intended to certify the DC-1. However, the\nRRB cannot effectively authenticate the DC-1 form because the agency and U.S. Bank\nhave insufficient controls over the Internet enrollment process.\n\nPrior users of other deposit methods for this system did not have to sign any type of\nstatement acknowledging their approval to enroll in the Internet option or their\nunderstanding and agreement that the use of their user ID, password and PIN would\nconstitute certification of a transaction. U.S. Bank mailed a unique user ID and\npassword to all persons of record who were previously enrolled to use one of the other\ndeposit methods. These railroad individuals did not have to complete new enrollment\nforms for system access. Instead, access to the Internet system was granted based on\ntheir prior enrollment form for one of the other deposit methods. These enrollment\nforms did not provide any information about the new and important terms and conditions\nof enrollment in this system.\n\nNew users of the system are sent an enrollment form that has not been updated to\ninclude full details on the new Internet option. Thus, new users do not receive sufficient\ninformation about the terms and conditions of the Internet system and do not provide\nwritten acknowledgment that they understand and agree that their user ID, password\nand PIN represent an electronic signature.\n                                            3\n\n\x0cIn addition, all Internet users are not sufficiently informed and reminded of the\nimportance of the user ID, password and PIN. The RRBLink Users Manual that is\nmailed to users and the RRBLink website screens do not have any information on the\nimportance of certification.\n\nBecause of inadequacies in the enrollment process and the lack of sufficient information\nregarding the certification of the Internet DC-1, the certification of every Form DC-1 filed\nusing the Internet, including the corresponding RUIA payment, can be repudiated. As a\nresult, the RRB might not be able to enforce civil or criminal penalties for false or\nfraudulent statements, as provided under federal law.\n\nRecommendation\n\nBFO should direct U.S. Bank to:\n\n\xe2\x80\xa2\t revise Internet enrollment forms to clearly explain that use of the user ID, password\n   and PIN constitutes certification of a Form DC-1. In addition, the form should\n   include a section requiring the applicant to acknowledge their understanding and\n   approval of this fact by written signature (Recommendation #1).\n\n\xe2\x80\xa2\t obtain new enrollment forms for all individuals currently enrolled in the system\n   (Recommendation #2).\n\n\xe2\x80\xa2\t revise the RRBLink Users Manual and include information on the RRBLink website\n   screens to clearly explain that use of the user ID, password and PIN constitutes\n   certification of a Form DC-1 (Recommendation #3).\n\nManagement\xe2\x80\x99s Response\n\nBFO concurs with all three recommendations and will confer with U.S. Bank by January\n31, 2003 to determine when the recommendations can be implemented and the\nassociated costs. BFO will determine final completion dates for corrective action after\nobtaining this information from U.S. Bank. A copy of the complete response is included\nin Attachments I and II.\n\n\nPassword Security Needs Strengthening\n\nAuthorized Internet users are sometimes sharing their access to this secure system with\nindividuals who have not been officially granted access to the electronic payment\nsystem. These users have either given their user ID, password, and PIN to a coworker\nnot previously authorized by U.S. Bank or have logged on to the system for another\nunauthorized individual to use. As a result, unauthorized users have access to this\nsystem.\n\n\n\n\n                                             4\n\n\x0cStrong password security ensures proper access to systems and data. The General\nAccounting Office\xe2\x80\x99s Federal Information Systems Control Audit Manual and the National\nInstitute of Standards and Technology\xe2\x80\x99s Federal Information Processing Standards,\nPublication 112, advise that passwords should be individually owned, rather than owned\nin common or in groups, in order to provide individual accountability within a computer\nsystem. The password should be controlled by the assigned user and not subject to\ndisclosure. The OMB\xe2\x80\x99s implementation guidelines for GPEA state that agencies should\nestablish adequate guidelines for password creation and protection.\n\nIn order to access the Internet, a railroad individual must log on with a valid user ID,\npassword and PIN. In order to obtain authorized access, the individual must complete\nan enrollment form in writing and mail the form to the U.S. Bank system administrator.\nUpon validation of this form, the system administrator will mail a confirmation of\nenrollment containing information needed for authorized access.\n\nIndividuals are responsible for the security of their access information. They are not to\nshare their user ID, password and PIN. Each individual that needs access to the\nsystem should complete an enrollment form and obtain his/her own access. There is\ncurrently no restriction on the number of authorized users that a railroad employer can\nhave.\n\nThe RRB has not instructed U.S. Bank to educate users about the importance of\nmaintaining security over access. The Users Manual does not emphasize the\nimportance of password security and the prevention of access to the system by\nunauthorized users. RRBLink documentation and instructions do not inform users that\nthey should not share their access with coworkers. There is no global message on the\nRRBLink website nor do any of the website screens include information regarding\npassword security. In addition, the confirmation of enrollment form for the system does\nnot provide information on password security.\n\nBecause some authorized users do not practice prudent security over their access, it is\nmore difficult for the RRB and U.S. Bank to adequately maintain secure control over the\nInternet system. Poor password security and practices unduly compromise the Internet\nsystem and employer data because they allow unauthorized users to conduct\nunapproved and invalid transactions and obtain access to confidential data, including\ntax information. These poor practices also undermine controls mentioned in our\nprevious finding concerning the validation of certification of Internet DC-1 reports and\npayments.\n\nRecommendation\n\nBFO should direct U.S. Bank to:\n\n\xe2\x80\xa2\t revise the RRBLink Users Manual to include a section on password security and\n   provide a copy of this revision to the enrolled users. At a minimum, this section\n   should include statements: (a) prohibiting the sharing of passwords and logging on\n\n\n\n                                            5\n\n\x0c   of unauthorized users and (b) explaining the risk to the system and its data of\n   improper password usage (Recommendation #4).\n\n\xe2\x80\xa2\t include information regarding password security on the RRBLink website\n   (Recommendation #5).\n\n\xe2\x80\xa2\t include a statement regarding password security on the confirmation of enrollment\n   forms provided to individuals granted access (Recommendation #6).\n\nManagement\xe2\x80\x99s Response\n\nBFO agrees with all three recommendations and will confer with U.S. Bank by January\n31, 2003 to determine when the recommendations can be implemented and the\nassociated costs. BFO will determine final completion dates for corrective action after\nobtaining this information from U.S. Bank. A copy of the complete response is included\nin Attachments I and II.\n\n\n\nImportant Password System Controls Were Not Implemented\n\nThe contractor did not fully implement two important password controls: restrictions on\npassword use and limits on log-on attempts. The system did not restrict the use of old\npasswords even though users had to periodically change their password. As an\nexample, a user could change his password and then immediately change back to the\nprevious password. In addition, invalid log-on attempts were not limited, recorded or\nreviewed.\n\nStrong password controls ensure proper and valid access to systems and data. The\nGeneral Accounting Office\xe2\x80\x99s Federal Information Systems Control Audit Manual and the\nNational Institute of Standards and Technology\xe2\x80\x99s Federal Information Processing\nStandards, Publication 112 contain general guidelines for securing information\ntechnology systems for the Federal government. The guidelines indicate that\npasswords should be changed periodically and should have restrictions on re-use, such\nas prohibiting re-use for a set time period. These standards also indicate that attempts\nto log on with invalid passwords should be limited, and invalid attempts should be\nrecorded by the system and regularly reviewed. The RRBLink Users Manual also\nstates that passwords cannot be reused for 90 days.\n\nU.S. Bank had agreed to include the password reuse control when developing the\nsystem. However, an oversight in development resulted in the control not being\nprogrammed into the system and RRB testing did not identify this control deficiency.\nThe RRB did not request inclusion of an access control for log-on attempts in the\nsystem development and therefore, the contractor did not build this security control into\nthe system.\n\n\n\n\n                                            6\n\n\x0cThe lack of a password reuse control and the fact that invalid logon attempts are not\nlimited, recorded, or reviewed unduly compromise the Internet system and employer\ndata. Unauthorized users and computer hackers could more easily gain access to the\nsystem, conduct unapproved and invalid transactions, and obtain access to confidential\ndata, including tax information.\n\nWeaknesses in these password system controls also undermine controls mentioned in\nour previous findings to ensure adequate validation of certification. Once the OIG\ninformed the U.S. Bank system administrator that the password reuse standard detailed\nin the Users Manual was not in effect, U.S. Bank implemented the control. The OIG re-\ntested this control and determined that it is now working as intended. Therefore, the\nOIG is not making a recommendation concerning this finding.\n\nRecommendation\n\nBFO should direct U.S. Bank to:\n\n\xe2\x80\xa2\t Implement a control to limit the number of invalid logon attempts (Recommendation\n   #7), and\n\n\xe2\x80\xa2\t Implement a policy to record invalid attempts in an exception report and review the\n   report for potential follow-up action (Recommendation #8).\n\nManagement\xe2\x80\x99s Response\n\nBFO concurs with both recommendations and will confer with U.S. Bank by January 31,\n2003 as to when the recommendations can be implemented and the associated costs.\nBFO will determine final completion dates for corrective action after obtaining this\ninformation from U.S. Bank. A copy of the complete response is included in\nAttachments I and II.\n\n\nThe 2002 MOU Regarding Internet DC-1 Form Lacks Key Details\n\nThe RRB and U.S. Bank recently signed a new MOU regarding retention of the DC-1\ndata and RRB requests for information. This agreement is not adequate because it\ndoes not state:\n\n\xe2\x80\xa2   the amount of time the bank has to reply to a request for information;\n\n\xe2\x80\xa2   how the bank will determine costs for handling information requests;\n\n\xe2\x80\xa2   who has the right to audit the amounts charged by the bank;\n\n\xe2\x80\xa2   the mechanism for resolving disputes over provisions;\n\n\xe2\x80\xa2   the penalties for non-compliance with the agreement;\n\n                                            7\n\n\x0c\xe2\x80\xa2   exactly what documentation the bank needs to release information; and\n\n\xe2\x80\xa2\t what information must be provided by the bank (it only states what information may\n   be provided by the bank).\n\nA MOU is an agreement between two parties that should include clearly defined\nperformance requirements and details to satisfy both parties\xe2\x80\x99 needs. The MOU\nlanguage should be sufficiently clear and detailed to avoid disputes over provisions of\nthe agreement or to easily remedy any disputes.\n\nThe 2002 MOU does not contain these provisions because program personnel who\nprepared the document believed that privacy, security, controls, and other details were\ncovered in the 1993 MOU that governed RRBLink. Therefore, they believed that these\nprovisions did not need to be restated in the current agreement. However, the\nprovisions of the 1993 agreement between Treasury and U.S. Bank do not\nautomatically apply to the 2002 MOU between the RRB and the bank because there are\ndifferent parties to each agreement. In addition, the Form DC-1 was not included in the\n1993 agreement.\n\nBecause the 2002 MOU lacks key details, U.S. Bank may not meet the expectations of\nthe RRB concerning performance of key issues such as timeliness in the release of\ninformation needed for an investigation, quality of information provided, and charges to\nthe agency for information requested under the agreement. The agency also could\nincur unnecessary costs and delays because no agreement has been made concerning\ndispute resolution and penalties.\n\nRecommendation\n\nThe BFO should consult with the RRB\xe2\x80\x99s Office of General Counsel to determine\nadditional details, including those stated above, that are needed for the MOU and\nshould revise the MOU accordingly (Recommendation #9).\n\nManagement\xe2\x80\x99s Response\n\nBFO agrees with the recommendation and will consult with the RRB\xe2\x80\x99s Office of General\nCounsel to determine necessary MOU changes. BFO will revise the MOU by\nDecember 31, 2003. A copy of the complete response is included in Attachments I and\nII.\n\n\n2002 MOU Monitoring Provisions for Privacy/Security of DC-1 Data Are Inadequate\n\nThe 2002 MOU does not specifically state how the privacy and security of DC-1 data\nwill be monitored. This agreement states that the privacy and security of information as\ncovered in the 1993 MOU applies equally to Form DC-1, but is incomplete because it\ndoes not state how the RRB will monitor this performance.\n\n                                            8\n\n\x0cOMB Circular A-123 requires Federal managers to establish management controls that\ninclude policies and procedures to reasonably ensure that programs achieve their\nintended results, and that laws and regulations are followed. The agency must have\nadequate oversight of the security and privacy of the DC-1 data to ensure that electronic\nfiling is meeting these criteria. In addition, the RRB\xe2\x80\x99s records retention schedule states\nthat employer contribution files, which include the DC-1 data, should be maintained for\nsix years and three months. Federal regulations require adherence to the agency\xe2\x80\x99s\nrecords retention schedule.\n\nThe 2002 agreement does not contain monitoring provisions because RRB\nmanagement assumed that Treasury would monitor compliance since the Form DC-1\nwas added to the system already covered under the 1993 MOU. However, this\nassumption is invalid because Treasury has not formally agreed to monitor DC-1 data,\nand Treasury has no legal responsibility to do so. The 1993 agreement covered the\ncollection of Federal tax deposits from railroad employers. The collection of these taxes\nis the responsibility of Treasury under the Railroad Retirement Tax Act. Collection of\nDC-1 contribution data is the responsibility of the RRB under the RUIA, as is the\noversight responsibility for the privacy, security, and accuracy of this data.\n\nAuditing the system at U.S. Bank in which the DC-1 data resides is part of the\nmonitoring process. RRB management has advised that Treasury is currently\nperforming a risk assessment of the bank\xe2\x80\x99s system. Since this data is located on the\nsame system as the tax data, the RRB believes that it can rely on Treasury\xe2\x80\x99s review if\nTreasury includes the DC-1 in the scope of its review. However, this reliance would not\neliminate the RRB\xe2\x80\x99s overall responsibility for the DC-1 data.\n\nBecause of the deficiencies in the 2002 MOU, DC-1 data is at risk of improper\ndisclosure and unlawful destruction without adequate monitoring. If such actions\noccurred, the RRB would be in violation of Federal regulations governing records\nretention.\n\nRecommendation\n\nBFO should revise the MOU to state how the agency will monitor compliance with the\nprivacy and security provisions of the agreement (Recommendation #10).\n\nManagement\xe2\x80\x99s Response\n\nBFO agrees with the recommendation and will confer with U.S. Bank and the\nDepartment of Treasury to determine necessary revisions to the MOU. BFO will\ncomplete the MOU revisions by December 31, 2003. A copy of the complete response\nis included in Attachments I and II.\n\n\nIncreased Participation in the Internet System Is Needed\n\n\n\n                                            9\n\n\x0cThe RRB needs to encourage increased Internet participation to ensure that the system\nis not underused. The initial implementation of the system was encouraging, with\napproximately 20% of all railroads filing through the Internet for the first quarter of 2002.\nHowever, the growth during the second quarter of 2002 was minimal, as only ten\nadditional railroads began filing in the second quarter. In addition, the railroads\nreporting on the Internet account for a small percentage of total RUIA contributions.\n\n\n                                                                       Contribution Paid/\n  Reporting Period    Railroads Reporting    % of Railroads Filing   Percent of All Railroads\n\n\n  1st Qtr, 2002                100                   20%                 $1.2 million/4%\n\n\n  2nd Qtr, 2002                110                   22%                 $1.6 million/5%\n\n\n\n\nNone of the seven major railroads are using the Internet for DC-1 reporting and\npayments. These railroads contributed approximately 70% of total RUIA compensation\nin calendar year 2001. By comparison, the railroads using the Internet system provided\n5% or less of the total RUIA compensation during the same period.\n\nApproximately 285 railroads paid RUIA contributions using an electronic process other\nthan the Internet, while 121 railroads paid by check for the first quarter of 2002. These\nelectronic payment methods include personal computer/modem and touch-tone\ntelephone technology. Railroads that pay contributions by one of these electronic\nmethods or that pay by check must still file a paper Form DC-1 with the RRB.\n\nThe Administration\xe2\x80\x99s Management Agenda includes a government-wide goal for\nexpanded use of the Internet to provide government services. Effective implementation\nof this goal is important in making government more responsive to and cost-effective in\nservicing customers. E-government is critical to meeting current customer\xe2\x80\x99s\nexpectations for interaction with the RRB. It will enable the agency to align efforts as\nneeded to significantly improve service and reduce operating costs.\n\nThe RRB\xe2\x80\x99s 2000-2005 Strategic Plan states that the agency should ensure an efficient\nand effective reporting system for railroad employers and should deliver service at the\npoint-of-contact (\xe2\x80\x9cone and done\xe2\x80\x9d). The plan also states that information technology\nresources will be developed to improve the agency\xe2\x80\x99s performance while operating with\nfewer resources and technology initiatives should fundamentally improve the efficiency\nand effectiveness of the agency\xe2\x80\x99s mission.\n\nRailroad participation in the Internet system has not increased greatly because the RRB\nhas not yet effectively marketed the new system throughout the railroad community.\nThe RRB has not prepared a comprehensive plan or initiated a targeted effort to\npublicize the benefits of the Internet DC-1 and encourage railroads to use the system.\nSuch a plan could include:\n\n                                             10\n\n\x0c   \xe2\x80\xa2   aggressively promoting the new system at periodic meetings with railroads,\n\n   \xe2\x80\xa2   conducting training sessions with railroad officials,\n\n   \xe2\x80\xa2\t publicizing the system at special meetings of the railroad trade associations,\n      such as the Association of American Railroads and the American Short Line and\n      Regional Railroad Association, and\n\n   \xe2\x80\xa2\t enhancing the RRB\xe2\x80\x99s website to more prominently feature and advertise the\n      system.\n\nCurrently, the RRB manually processes over 400 paper Form DC-1\xe2\x80\x99s and more than\n100 paper checks for contribution payments each quarter. Increasing the use of\nInternet filing and payment will result in significant processing savings over paper\nreporting and check payments. The use of the Internet allows railroads to file the DC-1\nreport and schedule the payment as a one point-of-contact process with the RRB\nonline. Paper reporting requires a separate additional process to make the payment. In\naddition, the agency and the more than 100 railroads now paying by check will receive\nthe additional savings of using an electronic payment process.\n\nRecommendation\n\nBFO should implement a plan to encourage increased railroad participation in the\nInternet system (Recommendation #11).\n\nManagement\xe2\x80\x99s Response\n\nBFO agrees with the recommendation and advised that, after revising the RRBLink\nInternet enrollment form per recommendation #1, they will work with U.S. Bank and the\nRRB\xe2\x80\x99s Assessment and Training unit to implement a plan to encourage expanded\nusage of the Internet system. BFO will determine final completion dates for corrective\naction after establishing a completion date for recommendation #1. BFO also advised\nthat for the third quarter of 2002, over 150 railroads filed through the Internet. A copy of\nthe complete response is included in Attachments I and II.\n\n\n\n\n                                             11\n\n\x0c\x0c\x0c\x0c'